Posted
by
timothyon Thursday June 05, 2014 @10:45AM
from the disclosure-of-diclosure dept.

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

If open source has one strength, it's that when many skilled eyes DO converge on the code

Keep making excuses for why open source should get a pass on something like this. The code has been around for 16 years. How many eyes have looked at the code since it was put out?

Open source is no better or worse than closed source. People just like to think it is because of situations like this when someone shouts, "I found a flaw!" but completely ignore the time the problem has existed.

If open source is so great, this flaw wouldn't have been around this long, would it?

I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.